Invested in SaaS? How to ensure your cloud is protected
Mon 15 Feb 2016
With the rise in everything as a Service (“aaS”), the performance of the cloud is critical to the availability of your IT systems, and the productivity of your business. If you have invested in Software as a Service, how can you be sure that your provider is adequately protecting your service? There are a few things you can look out for, and it’s worth asking some questions of your provider, whether you’ve already committed to SaaS or are just about to.
In the 2e2 scenario, customers were held to ransom for £1 million to ensure that their service would continue. Imagine a similar scenario should your SaaS provider, or data centre providing services to your SaaS provider, go bust. All your data is held on systems that you have no control over, and an administrator is attempting to recuperate as much debt as possible from your provider’s customers i.e. you. A good provider will offer you an Escrow service which is written into the contract – it means that for a pre-arranged fee an independent provider will take over the running of your systems should there be any discontinuation of service, until you decide what to do long term. The independent provider will have a copy of your systems and data from day one so that an administrator can’t hold you to ransom. An excellent form or protection against the risk of insolvency.
Although you may also have contracts which state that the data always belongs to you, how do you get at it? When you’re not in control of the platform, and with legal contracts often not protecting your data against insolvency, then getting your data back can be tricky. It’s crucial to maintain up to date copies of your data with a third party so you regain control. Even if this is an off-site backup carried out in-house, just make sure that you have access through someone independent to your SaaS provider.
Where is my data held?
It’s probably one of the questions you thoroughly researched when you chose your SaaS provider, but there may be a few things here you didn’t consider. Check whether the data centre has secure fencing all around to prevent anyone from getting too near to the building, is there gated access control or is anyone allowed through the gates? Is it near a road, river, railway, power lines that can all damage the data centre or cause a failure? What condition is it kept in? Becuase most IT failures are caused by human error and hardware failure you really want to keep people away from the systems as much as possible, and prevent hardware failures wherever possible. You should really do your homework and assess the locations yourself to ensure you are happy with the risks.
Ideally you should have four copies of your data held in locations which are far enough away from each other to not be impacted by the same disaster, and with at least two providers so you retain some level of control over the recovery process when required. Many SaaS providers have two locations, and offer no independent safety net, while some providers only keeping your data in one location. Obviously the risks with this are very high, and your level of control is very low.
Data centre disaster?
Do you have guaranteed SLAs around recovery times and what is the recovery process? Typically, if a data centre has an outage (and this happens more regularly than you may think) then they will be primarily focused on restoring the data centre itself. They will then have a long list of customers to recover – where will you sit in the queue? Disaster Recovery options vary depending on what you pay for. The best question to ask is how much service costs with and without the Disaster Recovery option? If it’s the same then you’re likely to be getting very little – a replication service is really a backup service, but would you really want your live provider to be managing your recovery when they are busy managing their own? A good provider will be able to offer recovery time guarantees, not just SLAs. Ask for evidence of this and see whether there is an independent provider to offer you added protection against the risk of your systems being entirely under the control of just one provider.
System virus or cyberattack?
If your DR solution is data replication to a secondary location, then your replica systems will soon be infected too. What will you use to restore from in this eventuality? What your SaaS provider should ensure is that a copy of your systems, that has been tested, is held in isolation from your live systems so it can’t be infected by a virus. Ideally this would be with a third party provider for complete isolation. With all the anti-virus software in the world, they still get through and cause a lot of downtime!
A DDOS attack, where your provider’s bandwidth and resources are flooded by cyberattacks, can also render your IT systems unavailable for months. They are very hard to deflect, although there are software tools that can help manage the risk. Should your provider be unlucky enough to experience one, what is the plan? Having a secondary means of running your system on an independent platform via a DR provider should be considered. This may be offered by your SaaS provider, but make sure you ask the question.
Whilst SaaS providers offer many benefits over running licensed versions on premise, a bit of due diligence around the protection of their ‘cloud’ will prevent any unplanned interruptions to your business.